DNS Record creation in AWS R53

I need help creating DNS records in AWS R53. The Ansible module that I’m looking at assumes I know what to include in the playbook for programmatic access to AWS but I don’t… also, I don’t know if I need to specify the AWS URL or any other required information.

I’m using the amazon.aws.route53 module.

This is my code so far:

- name: Set environment variables for AWS credentials
  hosts: localhost
  gather_facts: no
  environment:
    AWS_ACCESS_KEY_ID: "{{ aws_id }}"
    AWS_SECRET_ACCESS_KEY: "{{ aws_key }}"
    AWS_REGION: 'us-east-1'
  tasks:
    - name: Get DNS record from AWS R53
      amazon.aws.route53:
        state: get
        zone: <hosted-zone>
        record: <dns-record>
        #ttl: 
        #value: 
        #wait: 

I don’t have much experience with Ansible, any help would be much appreciated!

I’m sorry, I don’t quite understand - The Ansible module that I’m looking at assumes I know what to include in the playbook for programmatic access to AWS but I don’t - this is pretty necessary? Generally the rule of thumb for AWS+Ansible is:

  1. Do it in AWS CLI or at least, manually through the AWS Console)
  2. Translate it into Ansible Module

So that requires some knowledge of the values you would need to enter. If you don’t know those values, you would have to work with someone at your organization who could provide them to you.

amazon.aws.route53 is the correct module (amazon.aws.route53 module – add or delete entries in Amazons Route 53 DNS service — Ansible Community Documentation). The examples on that page are good, the first one gives a simple visual of adding a record:

- name: Add new.foo.com as an A record with 3 IPs and wait until the changes have been replicated
  amazon.aws.route53:
    state: present
    zone: foo.com
    record: new.foo.com
    type: A
    ttl: 7200
    value: 1.1.1.1,2.2.2.2,3.3.3.3
    wait: true

Sorry for the confusion. I understand the examples on the Ansible modules page, just confused about AWS access.
Does this part of my playbook look correct?

- name: Set environment variables for AWS credentials
  hosts: localhost
  gather_facts: no
  environment:
    AWS_ACCESS_KEY_ID: "{{ aws_id }}"
    AWS_SECRET_ACCESS_KEY: "{{ aws_key }}"
    AWS_REGION: 'us-east-1'
  tasks:

I’m getting this error when running the playbook: Failed to connect to the host via ssh: ssh: connect to host 127.0.0.1 port 22: Connection refused

You seem to have an explicit entry for localhost in your inventory which specifies an IP (127.0.0.1), but not connection: local. The entry (without connection: local) causes Ansible to try to connect to localhost with SSH, which causes the error you reported.

2 Likes

Right, what @felixfontein said for the error you are receiving.

For your environment block, it looks fine, although I personally do it a different way - instead of using Key ID & Secret Key, I use an AWS Profile - I could never get feeding the keys in Ansible tasks working properly myself, although many others use it with no issue.

So mine looks like this, and in my AWS CLI setup on the Ansible Server, I define the profiles as needed.

  environment:
    AWS_PROFILE: "ansible-devops"
2 Likes

If you have AWS environment vars set on the host (like AWS_SESSION_TOKEN), the environment vars in the play would need to fully override those to avoid mixed credentials. You could check if it’s working with amazon.aws.aws_caller_info module – Get information about the user and account being used to make AWS calls — Ansible Community Documentation.

environment isn’t a secure way to pass credentials though. You could use module_defaults set at the play/block level instead, like this amazon.aws/tests/integration/targets/iam_group/tasks/main.yml at stable-7 · ansible-collections/amazon.aws · GitHub. The module options access_key, secret_key, session_token (you could swap those 3 out with aws_profile if you go that route) and region will be passed to all action plugins and modules in the amazon.aws and community.aws collections.

1 Like

Thanks for the info/suggestions.
I found out the credentials I was using to test the playbook don’t have the right permissions in AWS. Once I sort that out, I plan to use aws_profile method for programmatic access.
Thanks again!